[GH-ISSUE #612] Receive 403 "invalid signature" on /email/verify #1005

New issue

Closed

opened 2026-03-14 11:27:40 +03:00 by kerem · 9 comments

kerem commented 2026-03-14 11:27:40 +03:00

Owner

Copy link

Originally created by @Dryusdan on GitHub (Mar 12, 2024).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/612

Hello

I try to install anonaddy on self hosted server and I encounter an error when I try to validate email : "403 Invalid signature.".

I follow SELF hosted guide.

I drop and recreate database, flush redis DB, drop and reinstall website before ask here without success :/

I haven't any log even in debug mode, the only log I have is access log which confirm I'm on the good server ^^

Can you help me ? ^^'
Thank :)

Originally created by @Dryusdan on GitHub (Mar 12, 2024). Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/612 Hello I try to install anonaddy on self hosted server and I encounter an error when I try to validate email : "403 Invalid signature.". I follow SELF hosted guide. I drop and recreate database, flush redis DB, drop and reinstall website before ask here without success :/ I haven't any log even in debug mode, the only log I have is access log which confirm I'm on the good server ^^ Can you help me ? ^^' Thank :)

kerem closed this issue 2026-03-14 11:27:45 +03:00

kerem commented 2026-03-14 11:27:51 +03:00

Author

Owner

Copy link

@willbrowningme commented on GitHub (Mar 12, 2024):

It must be one of these AuthorizationException - https://github.com/anonaddy/anonaddy/blob/master/app/Http/Controllers/Auth/VerificationController.php#L80

Can you add logging inside those if statements to identify which one it is?

<!-- gh-comment-id:1992222211 --> @willbrowningme commented on GitHub (Mar 12, 2024): It must be one of these `AuthorizationException` - https://github.com/anonaddy/anonaddy/blob/master/app/Http/Controllers/Auth/VerificationController.php#L80 Can you add logging inside those if statements to identify which one it is?

kerem commented 2026-03-14 11:27:56 +03:00

Author

Owner

Copy link

@Dryusdan commented on GitHub (Mar 13, 2024):

Surprisingly, I access only to __construct function and no one bellow it.

diff --git a/app/Http/Controllers/Auth/VerificationController.php b/app/Http/Controllers/Auth/VerificationController.php
index 2f0ed28..13f1ad3 100644
--- a/app/Http/Controllers/Auth/VerificationController.php
+++ b/app/Http/Controllers/Auth/VerificationController.php
@@ -43,6 +43,7 @@ class VerificationController extends Controller
      */
     public function __construct()
     {
+       echo("May here");
         $this->middleware('auth')->except('verify');
         $this->middleware('signed')->only('verify');
         $this->middleware('throttle:1,1')->only('resend');
@@ -56,6 +57,7 @@ class VerificationController extends Controller
      */
     public function show(Request $request)
     {
+       echo("Present");
         return $request->user()->hasVerifiedEmail()
                         ? redirect($this->redirectPath())
                         : Inertia::render('Auth/Verify', ['flash' => $request->session()->get('resent', null) ? 'A fresh verification link has been sent to your email address.' : null]);
@@ -70,17 +72,21 @@ class VerificationController extends Controller
      */
     public function verify(Request $request)
     {
+       echo("HERE");
         $verifiable = User::find($request->route('id')) ?? Recipient::withPending()->find($request->route('id'));
 
         if (is_null($verifiable)) {
+           echo("Error 1");
             throw new AuthorizationException('Email address not found.');
         }
 
         if (! hash_equals((string) $request->route('id'), (string) $verifiable->getKey())) {
+           echo("Error 2");
             throw new AuthorizationException('Invalid hash.');
         }
 
         if (! Hash::check($verifiable->getEmailForVerification(), (string) base64_decode($request->route('hash')))) {
+           echo("Error 3");
             throw new AuthorizationException('Invalid hash.');
         }

May here<!DOCTYPE html>
<html lang="en">
    <head>

I keep digging :)

<!-- gh-comment-id:1993824459 --> @Dryusdan commented on GitHub (Mar 13, 2024): Surprisingly, I access only to `__construct` function and no one bellow it. ```diff diff --git a/app/Http/Controllers/Auth/VerificationController.php b/app/Http/Controllers/Auth/VerificationController.php index 2f0ed28..13f1ad3 100644 --- a/app/Http/Controllers/Auth/VerificationController.php +++ b/app/Http/Controllers/Auth/VerificationController.php @@ -43,6 +43,7 @@ class VerificationController extends Controller */ public function __construct() { + echo("May here"); $this->middleware('auth')->except('verify'); $this->middleware('signed')->only('verify'); $this->middleware('throttle:1,1')->only('resend'); @@ -56,6 +57,7 @@ class VerificationController extends Controller */ public function show(Request $request) { + echo("Present"); return $request->user()->hasVerifiedEmail() ? redirect($this->redirectPath()) : Inertia::render('Auth/Verify', ['flash' => $request->session()->get('resent', null) ? 'A fresh verification link has been sent to your email address.' : null]); @@ -70,17 +72,21 @@ class VerificationController extends Controller */ public function verify(Request $request) { + echo("HERE"); $verifiable = User::find($request->route('id')) ?? Recipient::withPending()->find($request->route('id')); if (is_null($verifiable)) { + echo("Error 1"); throw new AuthorizationException('Email address not found.'); } if (! hash_equals((string) $request->route('id'), (string) $verifiable->getKey())) { + echo("Error 2"); throw new AuthorizationException('Invalid hash.'); } if (! Hash::check($verifiable->getEmailForVerification(), (string) base64_decode($request->route('hash')))) { + echo("Error 3"); throw new AuthorizationException('Invalid hash.'); } ``` ``` May here<!DOCTYPE html> <html lang="en"> <head> ``` I keep digging :)

kerem commented 2026-03-14 11:28:01 +03:00

Author

Owner

Copy link

@Dryusdan commented on GitHub (Mar 13, 2024):

I check datetime on server and it good.
I also check my PHP configuration and replace it by default PHP config without success/

I double check mariadb and see the encoding isn't good. I recreate database with good parameter and the result still the same :/

<!-- gh-comment-id:1994022966 --> @Dryusdan commented on GitHub (Mar 13, 2024): I check datetime on server and it good. I also check my PHP configuration and replace it by default PHP config without success/ I double check mariadb and see the encoding isn't good. I recreate database with good parameter and the result still the same :/

kerem commented 2026-03-14 11:28:06 +03:00

Author

Owner

Copy link

@willbrowningme commented on GitHub (Mar 13, 2024):

It's actually throwing an InvalidSignatureException from the ValidateSignature middleware - https://github.com/anonaddy/anonaddy/blob/master/app/Http/Controllers/Auth/VerificationController.php#L47

So there must be a problem with your verification URL which is created here:

https://github.com/anonaddy/anonaddy/blob/master/app/Notifications/CustomVerifyEmail.php#L66-L73

<!-- gh-comment-id:1994056162 --> @willbrowningme commented on GitHub (Mar 13, 2024): It's actually throwing an `InvalidSignatureException` from the `ValidateSignature` middleware - https://github.com/anonaddy/anonaddy/blob/master/app/Http/Controllers/Auth/VerificationController.php#L47 So there must be a problem with your verification URL which is created here: https://github.com/anonaddy/anonaddy/blob/master/app/Notifications/CustomVerifyEmail.php#L66-L73

kerem commented 2026-03-14 11:28:11 +03:00

Author

Owner

Copy link

@Dryusdan commented on GitHub (Mar 13, 2024):

I don't see how I can check if generated URL is good :/
I have this url :

https://redacted_domain.tld/email/verify/04a0f519-a8ad-4926-a364-a15c782a4667/JDJ5JDEyJHBCTHljY1UzZHBHa3R4NmpKaXl1dU9jOXBzeWJWVjNvNjgzU1dobEZWMVQxWDZHOGFRclMu?expires=1710330167&signature=a76e5759c3999da1e2106ac51530c07c2cd46627dd66722d610e431a305f868f

(When it's okay, I recreate a new instance with new app key ^^)

I check if expires isn't good but it's okay

root@mail ~ # date -d @1710330167
Wed Mar 13 12:42:47 PM CET 2024
root@mail ~ # date
Wed Mar 13 11:44:09 AM CET 2024

<!-- gh-comment-id:1994087173 --> @Dryusdan commented on GitHub (Mar 13, 2024): I don't see how I can check if generated URL is good :/ I have this url : ``` https://redacted_domain.tld/email/verify/04a0f519-a8ad-4926-a364-a15c782a4667/JDJ5JDEyJHBCTHljY1UzZHBHa3R4NmpKaXl1dU9jOXBzeWJWVjNvNjgzU1dobEZWMVQxWDZHOGFRclMu?expires=1710330167&signature=a76e5759c3999da1e2106ac51530c07c2cd46627dd66722d610e431a305f868f ``` (When it's okay, I recreate a new instance with new app key ^^) I check if expires isn't good but it's okay ``` root@mail ~ # date -d @1710330167 Wed Mar 13 12:42:47 PM CET 2024 root@mail ~ # date Wed Mar 13 11:44:09 AM CET 2024 ```

kerem commented 2026-03-14 11:28:16 +03:00

Author

Owner

Copy link

@willbrowningme commented on GitHub (Mar 13, 2024):

The hash must not match that is checked here then - https://github.com/laravel/framework/blob/11.x/src/Illuminate/Routing/UrlGenerator.php#L426-L441

Is your APP_URL correct in your .env file?

<!-- gh-comment-id:1994108817 --> @willbrowningme commented on GitHub (Mar 13, 2024): The hash must not match that is checked here then - https://github.com/laravel/framework/blob/11.x/src/Illuminate/Routing/UrlGenerator.php#L426-L441 Is your `APP_URL` correct in your `.env` file?

kerem commented 2026-03-14 11:28:21 +03:00

Author

Owner

Copy link

@Dryusdan commented on GitHub (Mar 13, 2024):

It look good 🤔

APP_URL=https://redacted_domain.tld

(yes, my domain have some number 😅 )

The redacted_domain.tld is this domain

<!-- gh-comment-id:1994118637 --> @Dryusdan commented on GitHub (Mar 13, 2024): It look good 🤔 ``` APP_URL=https://redacted_domain.tld ``` (yes, my domain have some number 😅 ) The `redacted_domain.tld` is this domain

kerem commented 2026-03-14 11:28:26 +03:00

Author

Owner

Copy link

@willbrowningme commented on GitHub (Mar 13, 2024):

Please try the suggestion in this answer https://stackoverflow.com/a/73215178.

Also check this thread.

You might want to remove your actual app URL from your previous comment too.

<!-- gh-comment-id:1994562276 --> @willbrowningme commented on GitHub (Mar 13, 2024): Please try the suggestion in this answer [https://stackoverflow.com/a/73215178](https://stackoverflow.com/a/73215178). Also check this [thread](https://github.com/laravel/framework/issues/26930). You might want to remove your actual app URL from your previous comment too.

kerem commented 2026-03-14 11:28:31 +03:00

Author

Owner

Copy link

@Dryusdan commented on GitHub (Mar 13, 2024):

Please try the suggestion in this answer https://stackoverflow.com/a/73215178.

The URL:: class isn't loaded AppServiceProvider (app/Providers/AppServiceProvider.php), so it's make 500.
I change $proxies without success.

But, the first link is also good (https://stackoverflow.com/a/75502346). I automated my vhost creation and the location wasn't good. I don't check it....

So, When I replace

location / {
    try_files $uri $uri/ /index.php;
}

by this

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

It's work !

Thank you for your help and I'm so sorry to have wasted your time

<!-- gh-comment-id:1994906268 --> @Dryusdan commented on GitHub (Mar 13, 2024): > Please try the suggestion in this answer https://stackoverflow.com/a/73215178. The URL:: class isn't loaded `AppServiceProvider` (`app/Providers/AppServiceProvider.php`), so it's make 500. I change `$proxies` without success. But, the first link is also good (https://stackoverflow.com/a/75502346). I automated my vhost creation and the location wasn't good. I don't check it.... So, When I replace ``` location / { try_files $uri $uri/ /index.php; } ``` by this ``` location / { try_files $uri $uri/ /index.php?$query_string; } ``` It's work ! Thank you for your help and I'm so sorry to have wasted your time

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.5.0

v1.4.1

v1.4.0

v1.3.8

v1.3.7

v1.3.6

v1.3.5

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.14.1

v0.14.0

v0.13.13

v0.13.12

v0.13.11

v0.13.10

v0.13.9

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.1

v0.10.0

v0.9.1

v0.9.0

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.5

v0.7.4

v0.7.3

v0.7.2

v0.7.1

v0.7.0

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.0

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/anonaddy#1005

No description provided.